b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nEvaluation Report\nThe Federal Energy Regulatory\nCommission\'s Unclassified Cyber\nSecurity Program \xe2\x80\x93 2013\n\n\n\n\nOAS-M-14-01                          October 2013\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n                                        October 23, 2013\n\n\nMEMORANDUM FOR THE EXECUTIVE DIRECTOR, FEDERAL ENERGY\n               REGULATORY COMMISSION\n\n\nFROM:                    Rickey R. Hass\n                         Deputy Inspector General\n                            for Audits and Inspections\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Federal Energy\n                         Regulatory Commission\'s Unclassified Cyber Security Program \xe2\x80\x93 2013"\n\nBACKGROUND\n\nThe Federal Energy Regulatory Commission (Commission) is an independent agency within the\nDepartment of Energy (Department) responsible for, among other things, regulating the interstate\ntransmission of the Nation\'s electricity, natural gas and oil. To realize its mission, the\nCommission gathers and analyzes significant amounts of data related to energy markets, using a\nwide range of information technology resources. As highlighted by recent cyber attacks on\nFederal entities, including the Department, the information security threat of a breach or loss of\ninformation technology assets or information contained in these assets continues to increase as\nattacks become more sophisticated and prevalent. To help protect against continuing cyber\nsecurity threats, the Commission estimated that it would spend approximately $5.8 million\nduring Fiscal Year (FY) 2013 to secure its information technology assets, a 9 percent increase\ncompared to FY 2012.\n\nThe Federal Information Security Management Act of 2002 (FISMA) established requirements\nfor Federal agencies related to the management and oversight of information security risks and to\nensure that information technology resources were adequately protected. As directed by FISMA,\nthe Office of Inspector General conducted an independent evaluation of the Commission\'s\nunclassified cyber security program to determine whether it adequately protected data and\ninformation systems. This report presents the results of our evaluation for FY 2013.\n\nRESULTS OF EVALUATION\n\nThe Commission had taken action to improve its cyber security posture and mitigate risks\nassociated with the weaknesses identified during our FY 2012 evaluation. Our current\nevaluation, however, disclosed that additional opportunities existed to better protect information\nsystems and data. In particular, we continued to identify weaknesses related to the Commission\'s\ntimely remediation of software vulnerabilities.\n\x0cDue to security considerations, information on specific vulnerabilities has been omitted from this\nreport. However, management was provided with detailed information regarding identified\nvulnerabilities and, in certain instances, had initiated corrective action.\n\n                                        Positive Aspects\n\nThe Commission had taken a number of positive actions related to enhancing its unclassified\ncyber security program. For example, the Commission continued to make improvements in\nimplementing the existing Vulnerability Management Program. Specifically, we found that the\nCommission:\n\n   \xe2\x80\xa2   Continued implementation of a project to upgrade the software tool used to manage patch\n       and software deployment. This project is expected to be completed in October 2013 and\n       should reduce the need to manually update systems.\n\n   \xe2\x80\xa2   Effectively designed and operated general and application information technology\n       controls such as access controls and contingency planning measures to protect its\n       information.\n\n   \xe2\x80\xa2   Created a process to implement longstanding missing patches. Specifically, Commission\n       officials conducted weekly status meetings to discuss and prioritize outstanding software\n       patches so that critical and high-risk patches are tested and implemented. Officials told\n       us that they hoped to have longstanding missing patch issues resolved by November\n       2013.\n\n                                       Patch Management\n\nAlthough progress had been made to secure the Commission\'s servers and workstations, our\nreview of Commission vulnerability scan results identified additional opportunities for it to\nensure that all devices were patched in a timely manner. Specifically, we noted:\n\n   \xe2\x80\xa2   132 workstations and servers contained vulnerable productivity applications;\n\n   \xe2\x80\xa2   114 workstations and servers were using vulnerable software utilities;\n\n   \xe2\x80\xa2   23 workstations and servers had antivirus applications with known vulnerabilities; and\n\n   \xe2\x80\xa2   460 workstations and servers had utilized vulnerable web browser applications.\n\nEach of the vulnerabilities were considered to be critical or high risk; however, we were unable\nto determine how long the vulnerabilities existed in the environment based on the information\nprovided by Commission officials. As noted by the National Institute of Standards and\nTechnology, proactively identifying and remediating system vulnerabilities can reduce or\neliminate the potential for exploitation and involves considerably less time than responding to\nexploitation of vulnerabilities.\n\n\n\n                                                2\n\x0c                                     Policy Implementation\n\nSimilar to prior years, the problems we identified with the Commission\'s Vulnerability\nManagement Program were due, in part, to policies and procedures that were not fully effective.\nSpecifically, even though the Commission had taken action to strengthen its Vulnerability\nManagement Program, our review found that the Commission had not fully updated existing\nsecurity patch management and vulnerability management processes and technical controls to\naddress the recommended actions. We determined that vulnerabilities similar in type, frequency\nand risk level to those identified during our FY 2012 evaluation continue to exist in the\nCommission\'s information technology environment. Officials stated, and we agree, that\nsuccessful completion of the Commission\'s ongoing project to update its Vulnerability\nManagement Program policies and patch management technologies is important to maintaining\nan effective security posture.\n\n                         Risks to Commission Systems and Information\n\nThe Commission had continued to make progress in improving its cyber security posture;\nhowever, additional actions are needed to reduce the risk to the agency\'s information systems and\ndata. For instance, workstations and network servers running vulnerable applications and\nutilities were at a heightened risk for malicious attacks that could result in the compromise of\nthose systems and/or the information contained within those systems. We noted that an attacker\ncould exploit the vulnerabilities to gain unauthorized access to systems, applications and\nsensitive data, including financial systems and data, which could disrupt normal business\noperations or have negative impacts on system and data reliability.\n\nRECOMMENDATION\n\nTo correct the weaknesses identified in this report and improve the effectiveness of the\nCommission\'s unclassified cyber security program, we recommend that the Executive Director,\nFederal Energy Regulatory Commission:\n\n   \xe2\x80\xa2   Update, as needed, and implement existing vulnerability and patch management\n       procedures to ensure that security vulnerabilities are remediated and verified in a timely\n       manner, in accordance with the Vulnerability Management Program.\n\nMANAGEMENT REACTION\n\nThe Commission concurred with the report\'s recommended action and stated that it had initiated\ncorrective action to address weaknesses identified in the report. In particular, management\ncommented that the Commission is in the process of reviewing and updating all existing policies,\nprocedures and security program documentation related to vulnerability and patch management.\n\nAUDITOR COMMENTS\n\nManagement\'s comments were responsive to our recommendation and are included in\nAttachment 3.\n\n\n\n                                                3\n\x0cAttachments\n\ncc:   Deputy Secretary\n      Chief of Staff\n\n\n\n\n                         4\n\x0c                                                                                   Attachment 1\n\n\n                      OBJECTIVE, SCOPE AND METHODOLOGY\n\nOBJECTIVE\n\nTo determine whether the Federal Energy Regulatory Commission\'s (Commission) unclassified\ncyber security program adequately protected data and information systems.\n\nSCOPE\n\nThe evaluation was performed between May and October 2013, at the Commission\'s\nHeadquarters in Washington, DC. Specifically, KPMG, LLP (KPMG), the Office of Inspector\nGeneral\'s contract auditor, performed an assessment of the Commission\'s unclassified cyber\nsecurity program. The evaluation included a review of general and application controls in areas\nsuch as security management, access controls, configuration management, segregation of duties\nand contingency planning. In addition, KPMG reviewed the Commission\'s results of\nworkstation and server authenticated scans for the period of May and June 2013.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Reviewed Federal laws and regulations related to controls over information technology\n       security such as the Federal Information Security Management Act of 2002, Office of\n       Management and Budget Memoranda and National Institute of Standards and\n       Technology standards and guidance.\n\n   \xe2\x80\xa2   Evaluated the Commission in conjunction with its annual audit of the Financial\n       Statements, utilizing work performed by KPMG. Office of Inspector General and KPMG\n       work included analysis and testing of general and application controls for the network\n       and systems and review of the network configuration.\n\n   \xe2\x80\xa2   Reviewed the overall unclassified cyber security program management, including the\n       Commission\'s policies, procedures and practices.\n\n   \xe2\x80\xa2   Held discussions with Commission officials and reviewed relevant documentation.\n\n   \xe2\x80\xa2   Reviewed prior reports issued by the Office of Inspector General and the U.S.\n       Government Accountability Office.\n\nWe conducted this evaluation in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the effort to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfinding and conclusions based on our evaluation objective. Accordingly, we assessed significant\ninternal controls and the Commission\'s implementation of the GPRA Modernization Act of 2010\nand determined that it had established a performance measure for its information and\nunclassified cyber security program. Because our evaluation was limited, it would not have\n\n                                               5\n\x0c                                                                       Attachment 1 (continued)\n\n\nnecessarily disclosed all internal control deficiencies that may have existed at the time of our\nevaluation. We relied on computer-processed data to satisfy our objective. In particular, KPMG\nreviewed the results of authenticated scans for workstations and servers for the period of May\nand June 2013. We validated the results of the scans by confirming the weaknesses disclosed\nwith responsible on-site personnel.\n\nAn exit conference was waived by the Commission.\n\n\n\n\n                                               6\n\x0c                                                                                       Attachment 2\n\n\n                                        PRIOR REPORTS\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2012, (OAS-L-13-01, November 2012). The Federal Energy Regulatory\n    Commission (Commission) had taken actions to improve its cyber security posture and\n    mitigate risks associated with weaknesses identified during our Fiscal Year (FY) 2011\n    evaluation. While these actions are noteworthy, our evaluation disclosed additional\n    opportunities existed to better protect its information systems and data. Specifically, we\n    continued to identify weaknesses related to the Commission\'s timely remediation of software\n    vulnerabilities. The problems we identified with the Commission\'s vulnerability\n    management process were due, in part, to less than fully effective implementation of policies\n    and procedures. In addition, Commission officials informed us that they did not follow their\n    existing Vulnerability Management Program policies due to budget and resource constraints.\n    As corrective action was initiated by management in certain instances, we made a suggestion\n    to update existing vulnerability and patch management procedures as needed to ensure that\n    security vulnerabilities are remediated and verified in a timely manner.\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2011, (OAS-M-12-01, November 2011). The Commission had taken\n    actions to improve its cyber security posture and mitigate risks associated with certain issues\n    identified during our FY 2010 evaluation. While these measures were noteworthy, our\n    evaluation disclosed that additional action was needed to further protect information systems\n    and data. Specifically, we continued to identify weaknesses related to the Commission\'s\n    timely remediation of software vulnerabilities. The problems we identified with the\n    Commission\'s vulnerability management program were due, in part, to less than fully\n    effective implementation of policies and procedures. Although the Commission continued to\n    make progress in improving its cyber security posture, additional actions were needed to\n    further reduce the risk to the agency\'s information systems and data. Management concurred\n    with the report\'s recommendations and commented that it had initiated actions to address\n    weaknesses identified during our evaluation.\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2010, (OAS-M-11-01, October 2010). The Commission had taken\n    actions to significantly improve its cyber security posture and mitigate risks associated with\n    each of the four weaknesses we identified during our FY 2009 evaluation. However,\n    additional action was needed to improve protection of information systems and data.\n    Specifically, we found that security patches needed to resolve known vulnerabilities\n    discovered during regularly scheduled scans were not applied to all workstations in a timely\n    manner. In addition, even though officials had established an automated mechanism for\n    tracking all known vulnerabilities, only 10 percent of the identified "high risk" vulnerabilities\n    were actually being tracked. The problems we identified with the Commission\'s unclassified\n    cyber security program were due, in part, to the less than fully effective implementation of\n    policies and procedures. As such, the risk to the agency\'s information systems and data\n    remained higher than necessary. Management concurred with the report\'s recommendations\n    and commented that it had initiated actions to address weaknesses identified during our\n    evaluation.\n\n\n                                                  7\n\x0c                      Attachment 3\n\n\nMANAGEMENT COMMENTS\n\n\n\n\n         8\n\x0c    Attachment 3 (continued)\n\n\n\n\n9\n\x0c                                                                    IG Report No. OAS-M-14-01\n\n\n                           CUSTOMER RESPONSE FORM\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2.   What additional information related to findings and recommendations could have been\n          included in the report to assist management in implementing corrective actions?\n\n     3.   What format, stylistic, or organizational changes might have made this report\'s overall\n          message more clear to the reader?\n\n     4.   What additional actions could the Office of Inspector General have taken on the issues\n          discussed in this report which would have been helpful?\n\n     5.   Please include your name and telephone number so that we may contact you should\n          we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\n   If you wish to discuss this report or your comments with a staff member of the Office of\n   Inspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                  U.S. Department of Energy Office of Inspector General Home Page\n                                         http://energy.gov/ig\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'